[Webkit-unassigned] [Bug 33983] Setting <Select>.options.length to remove elements is broken if the page has (or ever had) DOM mutation events registered
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Jan 23 10:29:10 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=33983
Darin Adler <darin at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #47260|review?, commit-queue? |review-, commit-queue-
Flag| |
--- Comment #5 from Darin Adler <darin at apple.com> 2010-01-23 10:29:11 PST ---
(From update of attachment 47260)
> - const Vector<Element*>& items = listItems();
> + const Vector<Element*> items = listItems();
The const here should also be removed.
If mutation events are involved, then it's not enough to copy the vector. We
also have to ref() the element pointers because there's no guarantee the
mutation event handlers will not eliminate the last reference to one of the
list items.
So this should be a Vector<RefPtr<Element> > and the code should be written to
put the items into that vector.
I'm going to say review- because it seems that if we're going to change this we
should address that problem as well as this more obvious one.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list